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Alert Number 

MC-000105-MW 

WE NEED YOUR 
HELP! 

If you find any of 
these indicators on 
your networks, or 
have related 
information, please 
contact 
FBI CYWATCH 
immediately. 
Email: 

cywatch@fbi.gov 

Phone: 

1 - 855 - 292-3937 


The following information is being provided by the FBI, with no 
guarantees or warranties, for potential use at the sole discretion of 
recipients in order to protect against cyber threats. This data is 
provided to help cyber security professionals and system 
administrators guard against the persistent malicious actions of cyber 
criminals. 


This FLASH has been release d bh Subject to standard 


copyright rules, 
restriction. 
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Master Decryption Keys for GandCrab, versions 4 
through 5.2 

Summary 

On 17 June 2019, the FBI, in partnership with law enforcement 
agencies from 8 European countries, as well as Europol and 
BitDefender, released a decryption tool applicable to all versions of 
GandCrab ransomware. The decryption tool can be found at 
www.nomoreransom.org . The collaborative efforts further identified 
the master decryption keys for all new versions of GandCrab 
introduced since July 2018. The FBI is releasing the master keys in 
order to facilitate the development of additional decryption tools. 


*Note: By reporting any related 
information to FBI CyWatch, 
you are assisting in sharing 
information that allows the FBI 
to track malicious actors and 
coordinate with private industry 
and the United States 
Government to prevent future 
intrusions and attacks. 


GandCrab operates using a ransomware-as-a-service (RaaS) business 
model, selling the right to distribute the malware to affiliates in 
exchange for 40% of the ransoms. GandCrab was first observed in 
January 2018 infecting South Korean companies, but GandCrab 
campaigns quickly expanded globally to include US victims in early 
2018, impacting at least 8 critical infrastructure sectors. As a result, 
GandCrab rapidly rose to become the most prominent affiliate-based 
ransomware, and was estimated to hold 50% of the ransomware 
market share by mid-2018. Experts estimate GandCrab infected over 
500,000 victims worldwide, causing losses in excess of $300 million. 
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Master Decryption Keys 

GandCrab v4 and_ 5 

BwlAAACkAABSUOEyAAgAAAEAAQC77wJGC16Mco6goDGulTOClmeJMrLtkqgWCrwowUO+AKPcSEc96ZrBMa5BxegicGp 

/dZiPxuvuZZsbltNNqj91C6V153HNiKB34MsvM6INq+TjQII/2ZVQpJJWqndhBXXyJYHaob4wp8vaK60ehasDjbvT8LuccZrU 

mM/GwqhihDKFTBss/+TY2eUquxgGCGr02NGNAONB/OfFICXS3Uf/JwkfbTRsigrrqxNICfYkJJiElt3BoRxgYwZx7gBKIbofrOw 

D0sc/umQ5NbRECxdftSyMTrLmYbljlU2t+9Qdlkuh/H+/mHi703Lx40YfA0wFGJbBR8CgbxcHERArLdTleb+0g3U9aGAzu6R6 

yFJmLub6RDJKrgarWp++KR09uKbAygsQOKRSJ7phrAo7DoaPeq+6iZlKUjOBdGveYSaltFOISEeOqNcBCKXf8gbdlUXc8+Cty 

/0eVSwlY+LwWzmBdVD7XH42LBO9j2/irryjHQ2WLZGI5l854JlxCeDjgO7TV++RUzxdADB8ewANZih+yepnGK7SwrYI3aS3H 

ZJ6U6G706lx+C5JUG74jgeGFgEVRwUvibrV5lwpYetucmJHVvOWcFxwoy5/nlJmVN2y0Gqo4HDg9unsiq9nEJt/ujJNM8qzx 

Ju2Zt5iFyEgkAw3FIB3mNpQ4PelhKsc+8CPl/ERhOCMHVewbW6Clh7MeL07qcODfNU/j5Ott4pFliGmlRld3FA8OXFTwX 

HjYEIRBwbBAe5WXe3KeNJMxL5ANZtUJz6C50g3zXI6lfmOJXBimFnSnXEGdOMyqB62tpFkzdwlQhzaV8sfEiMhU/TGlRATJ 

GyCEWMVsXhhTm2HaepNq+30KrO24G3flB8E9FbMyNILMj+eEFSkpf/FAY7zPJ+xi02uJZSHgHAY+qhFpA3F8uNnCPhUMPa 

eOgU55OhyUUcvgUHy4+nun3ajvJQItUYREhO6U7C2Z/DILgrKslcmLMwuGVDa0kq92mnspwHXIZiSSbTWQQkaOQSJltrCS 

bnemNtDUWaAhW6jEQVbn8NVd3vJ4FKezgolvAXhwKcpPbUvjj2EuL3fOElltB+wwu57V/45jZMSHvsWfi+vB2B42XliU0y0lr 

b8oFFFLByBNCbiqfmklD9rm6TYM4zcf51izQr+F2zEy31G2WgpcZp8jDvKyqNihZVvfeis7HFt4mG6dXTL5r2ATVRrMsaJJEk7s 

vJv5M802hlFvg5IEApKDdL6URubHc7iqcjA//xjjd6eCPSrEMswPP6TN2j9CBAvW4Qo64/c+9js22PV78ushOowkob4wCp90k 

KyZsELsYjP15oCYMkFBE8lsXC6i5bO/7BSGXDNbvVz4kV/hCOB3YsqwU2IF4/ME3ERDhM62zrNZeAyUf66BC6LGizxx/gxm9 

oSn2A3F24LUcloHwrpW8FUx3LUOvBsH173GpfO+3WSKjbq9nUXR+cym6DBIutsrtafrflSK65dgZ55WIHx34Jwh5FEjXaE8h 

3f+b8HEok5lwKo08cU60+3ecdsaM= 


GandCrab v5JX4 - v5.1 

BwlAAACkAABSUOEyAAgAAAEAAQCPuVnJ9elt7iW/ocAMfJrrTaSnrclfGmFHmkciEOpvDXFx+KSjXOwgWWVPn8Cs/lRoQY 

LESNw2rLGjAxxg42/GTC8QTYU8n50l3JokQVIWjrhEoL5czMBkMJTo/MQjO9u6F/OKShMBz5tQimloLq8UFu3YcuGZpvdr3 

gfVWhQjlYt7NceDPpr2cBZvP6nxEi9b2V8PLplq8CfUdYUHabTkr09A7mkszHFTqtzp7pwUm04KvHGJU8nWkjqbmyy/Pgd 

t6wlxrLy8oacfrVxA2nTamYll+HQSNv/gl7sgjJs9w624rFaxGPuystJHddPMzKGx4tv4KR2RvNGV2wxm40GhLlXfrBAyeAJa 

6mU/TtLPVlnxRB/66g7QA8i0m5YZd49RqhBhEG0WxlgliMWIBsnk4fiR593JSYJQc+/hcs8bQYO66eXL62vz00zdcGBjGJJQs 

EikQrgAigApin0588NuwPNuOyejomwJYPHIgqKh2qfgTYHVpXNV4XN7eW8ZReShieGyX5yJYBolkJ3Za9oAravyjvOS+dklww 

ZcENVlSEW6T2sl9PKe7sOzfCLR62gDHEWjAcsUVCacld4JEegVK9H6pbRjTQ8V5ecUHI/RqoTZleLeH55tdLEbCWklK7RQZ 

CwpmlKvSWd+jflW5pa9qjBISXGyghyDiZdwaTWMtdkXqA/zhTd9/lhrmA5NKxOURxlgqJPySnlAPXoSzNdpjfCacLBTbkhnO 

pbcXPdhpT5lqWiklmK6vgRNewf9ldkoe6vTL/YzmaYOe43WvXyyajMr4JUzxXR2tOQnWQVPOyQrgYwas/PLslvdSmsZkhD+ 

6Ni33wnbSJrk+hwmShUogcpvyiOLBb+jFYQFwlQbDlfxLgAmJu7YloWEUXf//ZLB0u2JA+H6hMBwAFsli/4VAlOBNogFft7 

S3ly6SlGva7+2Ft+VjAsugcuZLcd+FjlY+9ff3Zx24Vbwo+g6Ngxv2iYUTm8Ek+LXuyXnlRQcbEckl/lkNUmBTlYkTcUcpoPozb 

WpvVbwvl7oSnuckVSZLDJHpNbsNHvEEfVhlg7BjqH15+qUWttOX2uYJyN2aOwgFt5072KsWOZHMhOpwewPWlbNdAdrD 

mGSu89KxB+Hbj2IFEAWIjrnHTFhE62IHpyb/6TflzvleFfZUEYkwznkBqcASHHuo07y/oERyRbmHcFglbslHlyRRIiwY5RC7aN 

7b3ZnRr7AdbjZN0jFaJTZpNC28uDH2lllTIQ8fn7YIYQbSla2Bvbz0FBb53nrUtrazZZHxE7M3DamtqTIWezL5X4YVcpP5M6NJ 

3lr3QzNgJgmbciuo0BmCSg6WK7vJo6XHHneoNahSIPiUB27NJalllRrSSiK08dinkp4+HBu+5H/wmJfbwcfXGA9rudEivLCZcG 

Kcx/FUwY+5nE6TqYPYw48YPVxc81r5td44AoEBhMc5SBHrlpyQpQb2T5jE+jLeClcMec53+6voaVTtT33TrLxBKAF+gP7EIBgz 

AeaGw2JpmlR4w/ivtbe0zopLgA= 
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GandCrab v5.2 


BwlAAACkAABSUOEyAAgAAAEAAQBtwvOCqX7rw/P9P/NqSFQEe621TAAfjoG2UUw6dgLDRWo66kSsANjkrb5Cxdy2zW9f 

3+vu0TusoqUfwd6My8wJ0IEd0PpJ0VllsHE504+zpG3oL8gMS7TPr3QvTMLMdMTKH/8f2LDCjfDfak/Zzz/tzm80KJ2eOQlj 

Tx+0Bn+j+Y0L0KzoiVJ2KpFbC5Gy2bkjYPLqkZ6Tx4NN7y6ekWkcLTMtyTglqlchiJB4A+7xEtlkl80x5SyE4HTsyG/H9jlKQuYnU 

etZREYIagscrJtfYLjeiZCzwdlqbOKjA7Vi9BY5jci5bEjrGKBOeVBeLlatKOqFldgB7Wxs4SkGw4LbOxCsOWVMJJBWFJYIMNqSb 

ATwmKdrYhpm4IPAISa3EhfKQjHB9vNKRyPm+9zCmw/NzlgDBIYxGeR9Gwvd/ZnzVa70KSaoOdTOuPEQkYTFPJ2L5s2Qv7 

UyK3OzS5Va3er+20DB2NWm/FeVzXLwdhwEI8rM+rqlummMBWUJwPNlQP2/14ZRjaKFZFPByYhDVISVDRSReXZ0xhjz9Z 

gWGNJCA94N8IVbUbZ2NHTr7xGY9movlll+zdfFXvTv+Km72m+xkHSHe/IRr2DrLMRGtTDjwrtaFwdNgDNhNRABTIsTclsSn 

3pE7owK/8HMvQG8K3YffEWNG9leDoDSFCgiWZHk3bczBZAB9QqTI3zF3sx/ISQ0rMAKBsSVDWlmJs6VN5hc5oS78LQNKP 

miZGqcD2ZtQOvNWQvZ/bX5RCCco3x7kg792SAsXOTI7IS+YunreAB7xkpbsOfhAWJNzNKRkRu2IWOtL7ePedmGoiH4jrrjkh 

26rMCvfbM/G/w4J4dUhSXIU2EdnoT6QUOOWISnCww/lbvkylpdd6j5kYH6TnVEzYbghOwcehcjtAoWECH9r4vF9prRVfYXy 

pu/qblljpCNmRsmraYDkX+0udTR9ILTKrZri4xVeDWbT0BpllQzChCd6KUrv526JZuYemlVxS/6+/mOLUP5RI6nUWi/oSIS8m 

QgwYx0a2KfklHGMIjrGO2EQkty7LiFMf9ElynqLaD4Uz+xzahY3UwPP9DdqkMxZ3eFebdU+uxUd0wGqXFZRCXfWgEIJe5z 

43TXY3fSPXQN5K4YSU+5QRQ7pH+MXpk8gw/dKt4v7+eyMGqxlLtuid2uovYbQu+8lgda2ff2j0RRLu0b+VuoWkweUSxoNIH 

aXhcnsLs432eA2w8txYFIl+uUKKlecvlbolkvkai2ip53KVmW97g5+fZTXgNEPR7vdLeViYulD4RZINvZmQLgZQvPbS+cwMJK 

gE7YnRQQTr9BUb+139PQY5w6PoRkpTUdoHSdfe9qaiTs3vy3uCHt4mR5ODZ5z25b2223wHWbhdTXzTZjlGBm8b0q+PpS 

Cpu/l2lffdv40pb7ufk2ILGftvPjZVbwBNjAPVXLPDybCxtA2xpk4gby/DN9cBOBuEQMMiSnljQ7sf6QBaSJa/vgvy77VyiM8kJx 

KBjXOrUlGz+4Li8eUdmYT6W8Dcutj5JmMA= 

Recommended Ransomware Mitigations 

The FBI recommends undertaking measures to secure systems against ransomware infection and to 
mitigate the impact of ransomware. Recommended measures include, but are not limited to, the 
following: 

- Train personnel to identify phishing attempts and how to respond to them. 

- Implement a strong patch management system and enable automatic patching. 

- Implement auto updates for antivirus software. 

- Implement the principle of least privilege and strictly manage privileged accounts. 

- Implement a robust backup system and store backups offline 

- Implement strong authentication requirements for remote desktop protocol (RDP) 

Reporting Notice 

The FBI encourages recipients of this document to report information concerning suspicious or 
criminal activity to their local FBI field office or the FBI's 24/7 Cyber Watch (CyWatch). Field office 
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contacts can be identified at www.fbi.gov/contact-us/field . CyWatch can be contacted by phone at 
(855) 292-3937 or by e-mail at CyWatch@fbi.gov . When available, each report submitted should 
include the date, time, location, type of activity, number of people, and type of equipment used for 
the activity, the name of the submitting company or organization, and a designated point of contact 
Press inquiries should be directed to the FBI's National Press Office at npo@fbi.gov or (202) 324- 


3691. 


Administrative Note 
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For comments or questions related to the content or dissemination of this product, contact 
CyWatch. 


Your Feedback on the Value of this Product Is Critical 

Was this product of value to your organization? Was the content clear and concise? 
Your comments are very important to us and can be submitted anonymously. Please 
take a moment to complete the survey at the link below. Feedback should be specific to 
your experience with our written products to enable the FBI to make quick and 
continuous improvements to such products. Feedback may be submitted online here: 

https://www.ic3.gov/PIFSurvey 

Please note that this survey is for feedback on content and value only. Reporting of 
technical information regarding FLASH reports must be submitted through FBI CYWATCH. 
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